We encountered an issue today that was very odd. We have policies assigned at the organizational level. Today we received a report that an application was having issues. When we reviewed the policy we noticed that it was a completely different policy assigned at the organizational level. We reviewed the audit log and saw the following entries for a particular user which included the policy that suddenly changed. The problem was that this user was not logged in to the console at the time that all this was logged. This is just a slice of what we see and these entries went on for about 16 hours. We haven't been able to verify that all the policies are assigned correctly but what we did notice was that this affected only the HIPS policies, including IPS, Application Blocking, and Firewall. Per the audit log it deleted, created, saved then assigned every single policy created for all components of HIPS. We have run every custom report to try to identify how this occurred. We have reviewed every single server task to ensure that we have a misconfigured task with this user. At this time we are looking for any suggestions or thougts.